Only so many surveillance systems can be run with $10 billion a year. Thinkstock

August 1, 2013

ADVERTISEMENT

Sign Up for

Our free email newsletters

10 things you need to know today

Today's best articles

The week's best photojournalism

Today's top cartoons

Daily business briefing

For a moment, let's put aside the law. No FISA, no court, no inspector general, no nothing. If the law did not exist, what constraints, if any, would exist on the NSA leviathan?

I was thinking about this while I listened to Gen. Keith Alexander's presentation to Black Hatters. Because the debate has become so polarized, it seems as if you must choose to believe that laws provided either sufficient protection or none at all. I take a middle view, which doesn't make me very bookable on cable news. But as an exercise in thought, I wondered what it would mean if the U.S. government did not impose any legal constraints whatsoever on the NSA. At this extreme, how much information would the NSA be able to collect, what could they do with it, and what WOULD they with it?

Surveillance laws are not the only constraint on NSA. I will keep in place the budget, which is a law, of sorts, but one that it would be difficult for the NSA to simply ignore because it employs actual people who need to get paid to do stuff.

So assuming the NSA's budget is about $10 billion to $20 billion per year, we right away have stumbled onto one constraint.

There are only so many people who can be paid with that amount of money, only so many systems that can be run with that amount of money, only so many data centers that can be built with that amount of money, and only so many foreign partners that can be subsidized.

So: It logically follows that even a lawless NSA could not do everything it wanted. Presumably, the NSA's charter to collect foreign intelligence and break and make codes would help its managers prioritize resources. Resources include the types of collection systems, the type of training, the size of the analytical staff, and, of course, the specific targets of collection.

Add to this the constraints imposed by physics. Already, NSA has problems digesting more than a fraction of real-time internet activity. Digesting, not even looking at, but digesting. That is, getting the stuff into their computers so that they can do things with them. NSA is building a data center in Utah to help ease the constraints it has now; more content will be able to be stored.

Even then, NSA has to figure out how to find the megabyte needles in the petabyte haystacks WITH the budget and resource and charter constraints mentioned above.

It would stand to reason — again, with NO reference to the law or oversight — that it would be in NSA's interest to design its systems to filter out as much irrelevant data as possible and flag for possible human analysis.

It follows that a smart NSA that had no legal restrictions on it would try to build filters to automatically screen out as much data about U.S. citizens and U.S. persons as possible as quickly as possible. (True: It also follows that NSA wouldn't have any reason to worry about incidental overcollection — not legally, but just priority-wise — of U.S. persons data, but practically, they would have every reason just NOT to care about it or look at it.)

A lot of U.S. metadata would be stored in NSA databases because NSA would find it "relevant" for future collection purposes. With no laws or oversight, NSA could search it anytime they wanted and do anything they wanted to with it.

But why in their right mind would they waste their time doing that? In our alterna-world, the NSA can collect whatever it wants and store whatever it wants, but it would NOT want to burden its customers with irrelevant data. There are only so many FBI agents who can investigate NSA claims.

One final constraint: The people who work at NSA are (mostly) U.S. citizens. Let's assume that they want to keep their jobs and not rock the boat. Let's assume that they are gung-ho nationalist types. Why would THEY want to spend a lot of time, or even a relevant amount of time, spinning their wheels with irrelevant stuff.

Absent any laws, yes, NSA databases could indeed build rich dossiers on Americans. But why would NSA spend time and money and people putting that together? What would it do?

Absent any laws, yes, NSA could fabricate political apostasies and get the FBI to arrest people for things they didn't do. (Heck, this can happen, and does, without any NSA intervention). But again, why? Why do this wholesale? How does it serve the interests of U.S. policy-makers?

We can pretend that these other constraints do not apply, too, as exercises. But they all do apply.

The NSA after 9/11 arguably operated in this environment for a while. People like Bob Deitz, the NSA's former general counsel, won't like that characterization at the time, but NSA was left to its own devices for quite a while with only minimal and terribly thin oversight. And THEN, between five and seven years later, the laws caught up. A regime of oversight was imposed.

The point of this exercise is not to defend the NSA. It is to make this point about laws and oversight: as constraints on NSA, they aren't the most important in terms of protecting Americans from intrusive government searches.

The OTHER constraints are harder for NSA to ignore or wiggle out of. And that's why, as we talk about the types of oversight we want for NSA, we ought to focus on finding ways to use the law to help NSA conduct its core mission even more efficiently. One concrete focus: NSA should encourage and reward analysts and technologists who figure out how NOT to incidentally overcollect on Americans. If NSA hasn't figured out a way to segregate U.S. persons metadata from other metadata, Congress should give them the money to do figure it out.